The General Data Protection Regulation (GDPR) gives data subjects rights over their own personal data, including the right of access to personal data processed by a controller (Article 15).
In practice, the data subject can ask an organisation to access and provide a copy of the data it holds about them.
Where the data subject is an employee, the question of whether all the data can be transmitted to them is more complex, particularly as some of the data may be contained in business emails or other confidential files.
The French Data Protection Authority (CNIL) has issued recommendations on the application of the right of access to employee data. This article therefore aims to provide an overview of the various issues that may arise, particularly when the request concerns emails. To some extent, these guidelines are also valid for most EU countries.
1. What is the right of access?
The right of access, provided for in Article 15 of the GDPR, allows a person, including an employee, to know whether data relating to them are being processed by a controller, including the employer.
If he or she so wishes, the data subject may obtain a copy of their data in an intelligible format.
2. Form of the request and ways to identify the employee
2.1. Form of the request
The GDPR does not require a particular format of the request and the employer should therefore not be unnecessarily demanding on the form.
Although the right of access applies only to personal data and not to documents, the employer should not require specific wording in order to comply or not with an employee’s request.
Where a specific regime for access to documents applies (e.g. for public administrations), the person must specify whether they are requesting access to documents or personal data.
In other cases, it may be wrong to reject the request simply because the applicant uses the word ‘document’ instead of “data” or “information”. Indeed, the request should be clarified or construed as a request for a right of access to personal data.
2.2 How to identify the employee who made the request
The controller must verify the identity of the person exercising the right of access.
If they have doubts about the identity of the data subject, they may request information for the data subject to prove his/her identity. However, the request for additional information must be proportionate.
Thus, in the case of an employee, the CNIL considers that it is not necessary to request a copy of the identity document in the following cases:
- if the employee’s request is submitted via his or her professional e-mail or the organisation’s intranet ;
- A former employee will also be able to prove his or her identity by providing his or her former work ID.
In practice, it seems that depending on the sensitivity of the data to be provided and the size of the company, the level of identification/authentication should be adapted.
Indeed, if a former employee gives his personal identifier via his personal email, this might seem insufficient if sensitive information is requested.
While this is a pragmatic approach that works for most requests, the GDPR security requirement should not be overlooked. For example, access to information on salaries, illnesses etc. should be approached on a case by case basis.
A priori, this information is accessible via a very secure intranet in large groups of companies, so the right of access procedure should not allow the security measures in place to be circumvented. In this case, it would be necessary to refer the employee to the intranet.
2.3 Purpose of the request
The right of access does not need to be motivated or have any purpose. It should not be confused with the other rules on the communication of documents or exhibits in the context of legal proceedings or a request for an administrative document (CADA).
In the case of a request submitted by an employee, the request is frequently submitted for pre-litigation or litigation purpose, with a view to obtaining emails or other documents.
Even though this is the case, it is not possible to refuse the right of access request on the basis that there are ongoing proceedings or on the basis of a procedural bypass. However, it will be necessary to be careful about the data communicated, as the exercise of a right of access should not be confused with the exercise of a right of access to documents. (see point 4 on the scope of the right of access for more details)
3. The response
3.1. Timing, the copy of data and additional information
In addition to the copy of the employee’s data, the controller must also provide additional information as part of his reply, such as the purposes of the data processing, the categories of data processed, the recipients of the data, etc.
The controller must responde without delay and at the latest within one month of the request. An extension of the above deadline may be granted in certain circumstances.
3.2. The response is, in principle, free of charge
Often employees’ requests are complex and require hours of work and research, especially when it comes to emails or other information that is difficult to find or sort.
It is therefore tempting in these cases to ask the employee who submitted the request to pay the costs of searching, sorting or even hiring a lawyer.
The principle is that the exercise of rights is free of charge.
However, the GDPR provides that where requests are manifestly unfounded or excessive, in particular because of their repetitive nature or for the request of an additional copy, it is possible to ask for reasonable costs taking into account the administrative costs.
Such reasonable costs should not, a priori, cover legal, search or sorting costs in connection with a request for an additional copy.
If the request is unfounded or excessive, the controller has also the right to refuse to respond to it. It is therefore important to consider this option before requesting for a fee.
Indeed, the right of access is a fundamental right, any refusal must be justified and the amount of the fee, which must be reasonable, should not be a disguised means of refusing to comply without any justification.
4. The scope of the employee’s right of access
In practice, employees often request copies of documents containing their personal data.
It is therefore important to remember that the right of access relates to personal data and not to documents.
4.1. Sending copies of documents is possible but not mandatory
Although “document” and “personal data” are two different concepts, the organisation is not prohibited from sending the documents containing the data rather than just the data, if there is nothing to prevent this and if it is more practical.
However, sending the whole documents should not infrige the rights of third parties.
4.2 Business e-mails
4.2.1. Principle: disclosure of the business e-mails
According to the CNIL, when the request for access rights concerns e-mails, the employer must provide the metadata (time stamp, recipients, etc.) and the content of the e-mails.
In this case, the employer may provide a copy of the e-mails. However, there are limits to this principle as the disclosure of e-mails may have consequences for third parties.
4.2.2. Limits: the exercise of the right of access must not infringe the rights of third parties
The rights of third parties correspond essentially to business secrecy, intellectual property, the right to privacy and the secrecy of correspondence.
The right of access to emails must therefore be limited to only those data whose communication does not disproportionately infringe the rights of others.
The employer must assess the infringement of the rights of third parties that communication of the whole emails would represent and must distinguish two situations, depending on whether the requesting employee is :
– sender/recipient of the e-mail; or
– merely mentioned in the content of the e-mail.
4.2.3. The applicant is sender/recipient of the e-mail
In this case, the communication of e-mails is presumed to respect the rights of third parties.
However, if the disclosure still poses a risk to the rights of third parties, e.g. due to the nature of the data that may be disclosed, the employer must delete, anonymise or pseudonymise the third party data or data that infringes on a secret in order to comply with the request.
If these measures prove insufficient, the employer may refuse to grant the request for access, giving reasons and justifying its decision to the data subject. The CNIL specifies that these arguments may not be invoked by the employer without prior substantiated justification to the applicant.
Example: an employer may refuse to grant a request for communication of e-mails containing information that would undermine national security or an industrial secret.
Comments: The CNIL gives examples which are rarely applied in practice. Indeed, employees often ask for a copy of emails in view of a legal procedure and these emails sometimes contain information relating to files and other commercial projects or strategy of the organisation. It seems that these specific cases could also justify a refusal.
4.2.4. The employee is only mentioned in the content of the email
If the means to identify the data are excessively intrusive for other employees and third parties (e.g. scanning all company email boxes), the employee should be asked to specify his request in order to limit the search to certain types of emails.
If the employee refuses to specify his request, the CNIL considers that it is possible to refuse the request by justifying the real risk for the rights of third parties.
In other cases and once the emails have been identified, it is necessary to question the infringement of the rights of third parties (including in particular the secrecy of correspondence, the privacy of the sender of the emails). See the previous point for the measures to be applied.
4.3. Personal e-mails
The CNIL considers that when an email is identified as personal or whose content is personal and proves to be private despite the absence of any mention of its personal nature, the employer is not authorised to access it.
The employer will therefore not be able to access the content and will have to provide the email as is, provided that the employee is the sender or the recipient of the email.
The CNIL’s formula does not seem sufficiently precise insofar as according to the case law of the Social Chamber of the French Supreme Court an email is presumed to be professional unless otherwise stated.
Thus, in practice, it simply seems preferable not to modify “private/personal” emails or those considered as such in view of their content.
The CNIL has mainly focused on access to emails but the same reasoning could apply to any other type of documents containing employee information.
For any help or question, you can contact Arnaud Blanc, French qualified lawyer